Sector map-based rapid data encryption policy compliance

ABSTRACT

To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/221,629, filed Aug. 30, 2011, entitled “Sector Map-based Rapid DataEncryption Policy Compliance” to Innokentiy Basmov, et al., the entiredisclosure of which is hereby incorporated by reference herein in itsentirety.

BACKGROUND

Computers can be used in various settings, sometimes adhering toparticular policies. For example, when accessing corporate data such asemail from a personal computer, corporate policy may dictate that thepersonal computer must encrypt corporate data stored on the personalcomputer's storage device in order to grant access to the corporatedata. The computer may be unable to access the particular corporateservice until the policy is complied with, but waiting for a storagedevice to be encrypted (which can be on the order of several minutes orhours, depending on the size of the storage device) in order to use thecorporate service can be frustrating for users.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

In accordance with one or more aspects, a request to activate a policyfor a computing device is received at the computing device. The policyindicates that data written by the computing device to a storage volumeafter activation of the policy be encrypted. In response to the request,the policy is activated for the device, including encrypting datawritten to the storage volume after returning the indication ofcompliance with the policy, and using a sector map to identify one ormore sectors of the storage volume that are not encrypted. Additionally,in response to the request, an indication of compliance with the policyis returned despite one or more sectors of the storage volume beingunencrypted.

In accordance with one or more aspects, to comply with a policy for acomputing device indicating that data written by the computing device tothe storage volume after activation of the policy be encrypted, a sectormap is accessed. The sector map identifies one or more sectors of astorage volume and also identifies, for each of the one or more sectorsof the storage volume, a signature of the content of the sector. Inresponse to a request to read the content of a sector, the content ofthe sector is returned without decrypting the content if the sector isone of the one or more sectors identified in the storage map and thesignature of the content of the sector matches the signature of thesector identified in the sector map. Otherwise, the content of thesector is decrypted and the decrypted content is returned.

BRIEF DESCRIPTION OF THE DRAWINGS

The same numbers are used throughout the drawings to reference likefeatures.

FIG. 1 is a block diagram illustrating an example computing deviceimplementing rapid compliance with a data encryption policy inaccordance with one or more embodiments.

FIG. 2 illustrates an example sector map in accordance with one or moreembodiments.

FIG. 3 illustrates an example of sector maps maintained in memory andpersisted on a storage device in accordance with one or moreembodiments.

FIG. 4 is a block diagram illustrating another example computing deviceimplementing rapid compliance with a data encryption policy inaccordance with one or more embodiments.

FIG. 5 is a flowchart illustrating an example process for implementingrapid compliance with a data encryption policy in accordance with one ormore embodiments.

FIG. 6 is a flowchart illustrating another example process forimplementing rapid compliance with a data encryption policy using asector map in accordance with one or more embodiments.

FIG. 7 is a flowchart illustrating an example process for implementingrapid compliance with a data encryption policy using an encrypted chunksmap in accordance with one or more embodiments.

FIG. 8 illustrates an example computing device that can be configured toimplement rapid compliance with a data encryption policy in accordancewith one or more embodiments.

DETAILED DESCRIPTION

Rapid compliance with a data encryption policy is discussed herein. Asector map for a storage volume used by a computing device can begenerated, the sector map identifying one or more sectors of a storagevolume as well as a signature of the content of each of the one or moresectors. The sector map can be generated shortly after (or as part of)installing an operating system on the computing device, or alternativelyat a later time prior to activating a policy for the computing device.The policy activated for the computing device indicates that contentwritten by the computing device to the storage volume after activationof the policy be encrypted. After activation of the policy, thecomputing device encrypts content written to sectors of the storagevolume. Additionally, after activation of the policy, content in aparticular sector may or may not be encrypted. The sector map is used toidentify which sectors of the storage volume have encrypted content, andthus which content is to be decrypted before being returned to therequester.

Alternatively, an encrypted chunks map for a storage volume used by acomputing device can be generated, the encrypted chunks map identifyingchunks of sectors of the storage volume. For each chunk of sectors ofthe storage volume, the encrypted chunks map indicates whether thesectors in the chunk are encrypted (or not in use) or are unencrypted.After activation of a policy for the computing device indicating thatcontent written by the computing device to the storage volume afteractivation of the policy is encrypted, data written to the storagevolume is encrypted. If data is written to a chunk that is unencrypted(as determined by the encrypted chunks map), then the sectors in thechunk are encrypted, the data is encrypted and written to the sector,and the encrypted chunks map is updated to indicate that the chunk isencrypted. Whether data read from the storage volume is decrypted isdetermined based on whether the sector from which the data is read isunencrypted (as determined by the encrypted chunks map).

References are made herein to cryptography, which can include symmetrickey cryptography, public key cryptography and public/private key pairs.Although such key cryptography is well-known to those skilled in theart, a brief overview of such cryptography is included here to assistthe reader. In public key cryptography, an entity (such as a user,hardware or software component, a device, a domain, and so forth) has akey (a public key and/or a private key). The public key of apublic/private key pair can be made publicly available, but the privatekey is kept a secret. Without the private key it is computationally verydifficult to decrypt data that is encrypted using the public key. Usingsome public key cryptography algorithms, data can be encrypted by anyentity with the public key and only decrypted by an entity with thecorresponding private key. Additionally, using some public keycryptography algorithms, a digital signature for data can be generatedby using the data and the private key. Without the private key it iscomputationally very difficult to create a signature that can beverified using the public key. Any entity with the public key can usethe public key to verify the digital signature by executing a suitabledigital signature verification algorithm on the public key, thesignature, and the data that was signed.

In symmetric key cryptography, on the other hand, a shared key (alsoreferred to as a symmetric key) is known by and kept secret by the twoentities. Any entity having the shared key is typically able to decryptdata encrypted with that shared key. Without the shared key it iscomputationally very difficult to decrypt data that is encrypted withthe shared key. So, if two entities both know the shared key, each canencrypt data that can be decrypted by the other, but other entitiescannot decrypt the data if the other entities do not know the sharedkey. Similarly, an entity with a shared key can encrypt data that can bedecrypted by that same entity, but other entities cannot decrypt thedata if the other entities do not know the shared key. Additionally,authentication codes or message authentication codes can be generatedbased on symmetric key cryptography, such as using a keyed-hash messageauthentication code mechanism. Any entity with the shared key cangenerate and verify the authentication code or message authenticationcode. For example, a trusted third party can generate a symmetric keybased on an identity of a particular entity, and then can both generateand verify the authentication codes or message authentication codes forthat particular entity (e.g., by encrypting or decrypting the data usingthe symmetric key).

FIG. 1 is a block diagram illustrating an example computing device 100implementing rapid compliance with a data encryption policy inaccordance with one or more embodiments. Computing device 100 can be avariety of different types of devices, such as a physical device or avirtual device. For example, computing device 100 can be a physicaldevice such as a desktop computer, a server computer, a laptop ornetbook computer, a tablet or notepad computer, a mobile station, anentertainment appliance, a set-top box communicatively coupled to adisplay device, a television or other display device, a cellular orother wireless phone, a game console, an automotive computer, and soforth. Computing device 100 can also be a virtual device, such as avirtual machine running on a physical device. A virtual machine can berun on any of a variety of different types of physical devices (e.g.,any of the various types listed above). Thus, computing device 100 mayrange from a full resource device with substantial memory and processorresources (e.g., personal computers, game consoles) to a low-resourcedevice with limited memory and/or processing resources (e.g.,traditional set-top boxes, hand-held game consoles).

Computing device 100 includes an encryption/decryption control module102, a read/write control module 104, a policy module 106, a sector map108, and a storage volume 110. Although particular modules 102, 104, and106 are illustrated in computing device 100, it should be noted that oneor more of modules 102, 104, and 106 can be combined into a singlemodule, or that the functionality of one or more of modules 102, 104,and/or 106 can be separated into multiple modules. Encryption/decryptioncontrol module 102 manages encryption and decryption of data stored onstorage volume 110 using any of a variety of different cryptographictechniques (e.g., using symmetric key cryptography and/or public keycryptography). The data stored on storage volume 110 refers to anyinformation that can be stored, such as program data, user data, systemdata, instructions or code, and so forth.

Encryption/decryption control module 102 typically allows data to beencrypted and/or decrypted only when authorized to do so. Module 102 canbe authorized to allow data to be encrypted and/or decrypted indifferent manners. For example, module 102 can be authorized to allowdata to be encrypted and/or decrypted only after a user of computingdevice 100 has proven that he or she possesses valid credentials toaccess the data. Various different credentials can be used, such asknowledge of a secret phrase (e.g., a password), a private keycorresponding to a certificate, a temporal secret (e.g., a one-timepassword), and so forth. By way of another example, module 102 can beauthorized to allow data to be encrypted and/or decrypted only afterdetecting that computing device 100 is in a particular state (e.g.,conforms to a particular policy). By way of yet another example, module102 can be authorized to allow data to be encrypted and/or decryptedonly after obtaining particular encryption and/or decryption keys storedin or by computing device 100.

Read/write control module 104 manages reading data from and writing datato storage volume 110. This reading and writing includes reading andwriting of encrypted data (also referred to as ciphertext) as well asunencrypted data (also referred to as plaintext). Read/write controlmodule 104 can invoke module 102 to encrypt and/or decrypt data readand/or written as appropriate.

Policy module 106 implements various policies on computing device 100.Each policy identifies one or more behaviors that device 100 is tofollow, such as types of programs that are to be running on device 100(e.g., anti-malware programs), types of security that are to beimplemented by device 100 (e.g., encrypting and decrypting data), and soforth. In one or more embodiments, a policy can indicate that once thepolicy is activated on device 100 (and optionally until the policy isdeactivated), data stored on storage volume 110 is to be encrypted.Activation of a policy refers to the policy being enforced on, andcomplied with by, computing device 100. Policy module 106 can obtain oneor more policies to implement in various manners, such as beingpre-configured with one or more policies, receiving a user input (e.g.,from an administrative user) of one or more policies, receiving one ormore policies from a remote server or service, and so forth.

Storage volume 110 is a storage device that can be implemented using avariety of different technologies, such as a flash memory device, amagnetic disk, an optical disc, combinations thereof, and so forth.Storage volume 110 can also be a portion of a storage device that istreated by computing devices and operating systems logically as astorage device. For example, a storage volume can be a partition of ahard drive, a portion of a flash memory device, and so forth.

Storage volume 110 is illustrated as being included as part of computingdevice 100. For example, storage volume 110 can be an internal storagedevice coupled to an internal bus of device 100, such as using a SerialAdvanced Technology Attachment (SATA) interface, Parallel ATA (PATA)interface, Small Computer System Interface (SCSI) interface, and soforth. By way of another example, storage volume can be an internalstorage device implemented as one or more chips on a same circuit boardas chips implementing one or more of modules 102-106, can be an internalstorage device implemented in the same chip as one or more of modules102-106, and so forth.

Storage volume 110 can alternatively be external to computing device 100and coupled to computing device 100 in a variety of different wiredand/or wireless manners. For example, storage volume 110 can be coupledto computing device 100 via a Universal Serial Bus (USB) connection, awireless USB connection, an IEEE 1394 connection, an external SATA(eSATA) connection, a Bluetooth connection, and so forth. Storage volume110 can be designed to be coupled to different computing devices(concurrently or at different times). In one or more embodiments,storage volume 110 is a removable volume, such as being part of astorage device designed to be easily coupled to and decoupled fromcomputing device 100 and transported to other computing devices. Anexample of such a removable storage volume is a thumb drive or USB flashmemory device. Alternatively, storage volume 110 can take other forms,such as being a network storage device that is coupled to computingdevice 100 via a network (e.g., the Internet, a local area network(LAN), a cellular or other phone network, an intranet, a storage areanetwork (SAN), network-attached storage (NAS), other public and/orproprietary networks, combinations thereof, and so forth).

Storage volume 110 includes multiple sectors in which data can bestored. The data stored in a sector is also referred to as the contentof that sector. Each sector is a portion of storage volume 110, anddifferent storage volumes can have different sector sizes (e.g., 512bytes, 4 k bytes, 8 k bytes, and so forth). A storage volume typicallyhas sectors of the same size, but can alternatively have sectors ofdifferent sizes. Sector map 108 identifies one or more sectors ofstorage volume 110 as well as a signature of the content of each of theone or more sectors. The usage of sector map 108 and the signatures ofthe contents of the sectors are discussed in more detail below. Althoughdiscussed herein as operating on a per-sector basis, it should be notedthat the techniques discussed herein can alternatively operate based onother groupings of content on storage volume 110 in an analogous manner(e.g., based on groupings of multiple sectors or other collections ofcontent).

Sector map 108 is typically stored on a storage device (e.g., storagevolume 110) and copied into a memory (e.g., RAM) of computing device 100when computing device 100 starts operation (e.g., is powered on, reset,etc.). The memory is typically a volatile memory that does not maintainits state when computing device 100 is powered off, but that typicallyhas faster access time than storage volume 110. Alternatively, sectormap 108 can be maintained in a nonvolatile memory (e.g., Flash memory)that does maintain its state when computing device 100 is powered off.

In one or more embodiments, encryption/decryption control module 102,read/write control module 104, and policy module 106 are implemented inan operating system of computing device 100. In response to activationof a policy on computing device 100 indicating data is to be encrypted,data written to storage volume 110 subsequent to activation of thepolicy is encrypted regardless of the application or other programwriting the data to storage. Encryption/decryption control module 102encrypts data written to storage volume 110 for multiple applications,rather than simply a single application.

FIG. 2 illustrates an example sector map 200 in accordance with one ormore embodiments. Sector map 200 can be, for example, sector map 108 ofFIG. 1. Sector map 200 includes multiple sector identifiers andcorresponding sector signatures 202(1), . . . 202(x). The sectoridentifiers in sector map 200 can take a variety of different forms,such as numeric identifiers of the sectors.

It should be noted that although multiple sector identifiers each havinga corresponding sector signature are illustrated in FIG. 2, sector map200 can alternatively be configured in different manners. For example,sector map 200 can arrange sector signatures in groups having acontiguous set or run of sector identifiers. A single sector identifier(e.g., the sector identifier at the beginning or start of the run ofsector identifiers) can be included in sector map 200, and then giventhe size of the sector signatures a particular sector signature withinthat group can be readily identified. For example, if the sectoridentifier at the beginning of a group is sector 732 and sectorsignatures are 6 bytes in length, then it can be readily determined thatthe sector signature for sector 735 is 3×6=18 bytes offset into thegroup of sector signatures. Although only a single sector identifier isincluded in sector map 200 for a group, it should be noted that thesector map is still viewed as identifying the multiple sectors (andcorresponding sector signatures) of the sector identifiers in the set orrun included in that group.

At a particular point in time, sector map 200 is locked. Sector map 200being locked refers to sector map 200 being set or fixed in its currentstate, with no changes to sector map 200 being allowed. Sector map 200can be locked in various manners, such as being stored in a nonvolatilewrite-once memory location, being stored in a portion of storage volume110 accessible only to an operating system of computing device 100 andthe operating system refusing to perform any writes to sector map 200,and so forth. Sector map 200 can be locked at different times (e.g.,when an operating system is installed or a policy is activated), asdiscussed in more detail below.

Sector map 200 need not, and typically does not, include an identifierand corresponding signature for every sector of the storage volume.Rather, sector map 200 includes identifiers and corresponding signaturesof sectors that were written to prior to sector map 200 being locked.Alternatively, sector map 200 can include identifiers of multiplesectors that were not written to prior to sector map 200 being locked,and also include one or more indications of which identified sectorswere written to prior to sector map 200 being locked (e.g., flag values,include signatures for only those sectors that were written to prior tosector map 200 being locked, etc.).

The sector signatures in sector map 200 are a representation of at leastpart of the content in the sector. Sector signatures can be generated ina variety of different manners as a function of the content of thesector. In one or more embodiments, the signature of a sector isgenerated by selecting a particular number of bytes of the content ofthe sector (e.g., the content in the first 6 bytes of the sector, thecontent in the 8 bytes of the sector starting at the 11^(th) byte of thesector, etc.). Alternatively, the signature of a sector can be generatedin different manners, such as by applying a variety of different hashalgorithms to the content of the sector to obtain a hash value, applyingvarious other algorithms or rules to the content of the sector to obtaina value representing the content of the sector, and so forth.

The sector signatures in sector map 200 are used to identify whethercontent of the corresponding sector has changed (which can be used todetermine whether the content is to be decrypted, as discussed in moredetail below) after sector map 200 was locked. At any given time, asignature of the content of a sector identified in sector map 200 can begenerated in the same manner as the signature for that sector wasgenerated for sector map 200. The signature from sector map 200 iscompared to the generated signature for the sector, and a determinationmade as to whether the two signatures match (e.g., are the same). If thetwo signatures match, then the content of the corresponding signaturewas not changed after sector map 200 was locked. However, if the twosignatures do not match, then the content of the corresponding signaturewas changed after sector map 200 was locked.

In one or more embodiments, sector map 200 is maintained in memory or ona storage device in a manner that facilitates quick access to thecontent of sector map 200. For example, sector map 200 can be maintainedon the storage device in a group of contiguous sectors of the storagedevice, in a group of contiguous addresses in memory, and so forth. Thecontent of sector map 200 can additionally be stored on the storagedevice and/or in memory in numeric order based on sector identifier, ina binary tree indexed based sector identifier, and so forth.

In one or more embodiments, the content of sector map 200 is maintainedon the storage device in groups of sector identifiers, each groupincluding a contiguous set or run of sector identifiers. Each groupincludes a header identifying various information about the group, suchas the size of the group (e.g., the number of sectors of the storagedevice that are used to store the group, the number of sectoridentifiers in the run, etc.), a checksum value for the group, an offsetinto the storage volume (or memory) to access the first sectoridentifier and sector signature in the group, and so forth. These groupscan then be readily mapped into a sector map in memory when thecomputing device starts operation (e.g., is powered on, reset, etc.). Itshould be noted that in such embodiments sector map 200 need not includean identifier of each sector identifier, but rather just an indicationof the first sector identifier in the run of sector identifiers and thesector signatures corresponding to the sector identifiers in the run.The sector signature corresponding to a particular sector in the run canthus be readily given the size of the sector signatures.

Returning to FIG. 1, sector map 108 includes identifiers andcorresponding signatures of sectors that were written to prior to sectormap 108 being locked. After sector map 108 is locked, data written tostorage volume 110 is encrypted by encryption/decryption control module102. Such data can include data written to sectors of storage volume 110not previously written to, as well as data written to sectors of storagevolume 110 that were previously written to (overwriting sectors).However, data written to storage volume 110 prior to sector map 108being locked is not encrypted. Accordingly, after sector map 108 islocked, sector map 108 is used to determine whether the sector waswritten to before sector map 108 was locked (and thus is not encrypted),or whether the sector was written to after sector map 108 was locked(and thus is encrypted).

After sector map 108 is locked, when data is requested to be read from asector of storage volume 110, a check is made (e.g., by read/writecontrol module 104 or policy module 106) as to whether the sector isidentified in sector map 108. If the sector is not identified in sectormap 108, then the data written to the sector was written after sectormap 108 was locked, and thus the content of the sector is encrypted.Accordingly, read/write control module 104 invokes encryption/decryptioncontrol module 102 to decrypt the content of the sector prior toreturning the content of the sector to the requester.

However, if the sector is identified in sector map 108, then a check ismade (e.g., by read/write control module 104 or policy module 106) as towhether the signature of the current content of the sector matches thesignature of the sector in sector map 108. If the two signatures match,then the data written to the sector was written before sector map 108was locked, and thus the content of the sector is not encrypted.Accordingly, read/write control module 104 can return the content of thesector to the requester and need not invoke encryption/decryptioncontrol module 102 to decrypt the content of the sector. However, if thetwo signatures do not match, then the data written to the sector waswritten after sector map 108 was locked, and thus the content of thesector is encrypted. Accordingly, read/write control module 104 invokesencryption/decryption control module 102 to decrypt the content of thesector prior to returning the content of the sector to the requester.

In one or more embodiments, read/write control module 104 also maintainsa bitmap corresponding to storage volume 110, each bit in the bitmapcorresponding to a sector of storage volume 110. If a particular sectorof volume 110 is written to after sector map 108 is locked (optionallyjust the first time the particular sector is written to after sector map108 is locked), module 104 sets (e.g., to a value of 1) the bitcorresponding to that particular sector. If a sector has not beenwritten to after sector map 108 was locked then the corresponding bit isnot set (e.g., has a value of 0). When reading the content of a sector,if the bit in the bitmap corresponding to the sector is set, module 104knows that the sector was written to after sector map 108 was locked.Accordingly, module 104 invokes encryption/decryption control module 102to decrypt the content of the sector prior to returning the content ofthe sector to the requester. However, if the bit in the bitmapcorresponding to the sector is not set, then module 104 proceeds tocheck whether the sector is identified in sector map 108 and/or whethersignatures match as discussed above. Alternatively, writing data to asector of storage volume 110 and updating of the bitmap (e.g., settingthe bit corresponding to the sector to a value of 1) can be performed asan atomic operation, in which case if the bit in the bitmapcorresponding to the sector is not set, then module 104 can return thecontent of the sector to the requester and need not invokeencryption/decryption control module 102 to decrypt the content of thesector.

This bitmap can also be used to address signature collisions. Asignature collision occurs when two different contents of a sectorresult in the same signature. The bitmap allows situations in whichthere is a signature collision to be resolved because the bitcorresponding to a sector is set when the sector is written to, somodule 104 knows that the sector was written to after sector map 108 waslocked. The bit corresponding to a sector being set indicates that thesector was written to after sector map 108 was locked regardless ofwhether the signature of the current content of the sector matches thesignature of the sector in sector map 108.

Sector map 108 can be generated and locked at a variety of differenttimes. In one or more embodiments, sector map 108 is generated andlocked as part of installing or initializing an operating system oncomputing device 100. This can be done, for example, by a vendor ordistributor of computing device 100 (e.g., before the purchaser ofcomputing device 100 receives computing device 100), by a user ofcomputing device 100, and so forth. The generation and locking of sectormap 108 can be performed as part of the process of installing theoperating system on computing device 100, or as part of a separateinitialization or setup process for computing device 100. The operatingsystem is installed on computing device 100 with data written to sectorsof storage volume 110 without being encrypted by encryption/decryptioncontrol module 102.

In such embodiments, sector map 108 can be generated in various manners.For example, during installation of the operating system a record ofwhich sectors of storage volume 110 are written to can be maintained.The sectors identified in this record can be identified as sectors insector map 108, and corresponding signatures generated and stored insector map 108. By way of another example, storage volume 110 can bescanned to identify which sectors were written to and which were not,and those sectors that were written to can be identified as sectors insector map 108 and corresponding signatures generated and stored insector map 108. By way of yet another example, an operating system canbe installed on computing device 100 by copying a storage volume imageto storage volume 110, and this storage volume image can include sectormap 108.

Thus, in such embodiments sector map 108 is generated and locked whenthe operating system is installed on computing device 100, withsubsequent writes to storage volume 110 being encrypted as discussedabove. When a policy is activated on device 100 indicating that datastored on storage volume 110 after activation of the policy beencrypted, computing device 100 is in rapid compliance with the policybecause any data written to storage volume 110 after sector map 108 waslocked is encrypted. Computing device 100 need not wait until all ofstorage volume 100 is encrypted before being in compliance with thepolicy. Policy module 106 can thus rapidly indicate compliance with thepolicy despite some sectors of storage volume 110 being unencrypted,because device 100 is already encrypting data written to storage volume110 (and thus will be encrypting data stored on storage volume 110 afteractivation of the policy).

As used herein, rapid compliance with a policy refers to compliancewithin a threshold amount of time and/or without requiring encrypting ofan entire storage volume. This threshold amount of time is typically asmall number (e.g., on the order of several seconds) that is notexpected to cause a noticeable delay to the user. Similarly, rapidindication of compliance with a policy refers to indicating compliancewithin such a threshold amount of time and/or without requiringencrypting of an entire storage volume. It should be noted that policymodule 106 need not intentionally delay in complying with and/orindicating compliance with a policy, but that some delay may occur(e.g., while waiting for device 100 to perform other functions unrelatedto complying with the policy, while locking sector map 108, whileencrypting particular special-purpose files (e.g., paging files, filesused for crash dumps, hibernate files, etc.), and so forth).

In other embodiments, rather than locking sector map 108 as part ofinstalling or initializing an operating system on computing device 100,sector map 108 is locked in response to activation of a policy oncomputing device 100. Prior to locking sector map 108, data is writtento sectors of storage volume 110 without being encrypted byencryption/decryption control module 102, and data is read from sectorsof storage volume 110 without being decrypted by module 102. An initialsector map 108 is generated (e.g., as part of installing or initializingan operating system on computing device 100 as discussed above). Foreach write to a sector, sector map 108 is updated with an identifier ofthe sector written to (if not already included in sector map 108) and acorresponding signature of the content written to that sector. Thus, insuch embodiments sector map 108 is generated over time, and keeps anongoing current identification of which sectors of storage volume 110have been written to as well as the signatures of those sectors thathave been written to.

In response to a request to activate a policy on computing device 100indicating that data stored on storage volume 110 after activation ofthe policy be encrypted, policy module 106 activates the policy. As partof activating the policy, sector map 108 is locked, so subsequent writesto storage volume 110 are encrypted as discussed above. Computing device100 is in rapid compliance with the policy because data written tostorage volume 110 after sector map 108 is locked is encrypted.Computing device 100 need not wait until all of storage volume 100 isencrypted before being in compliance with the policy. Policy module 106can thus rapidly indicate (e.g., with less than a threshold amount ofdelay) compliance with the policy even though some sectors of storagevolume 110 are unencrypted, because subsequent writes to storage volume110 will be encrypted, and device 100 thus will be encrypting datastored on storage volume 110 after activation of the policy.

In embodiments in which sector map 108 keeps an ongoing currentidentification of which sectors of storage volume 110 have been writtento as well as the signatures of those sectors that have been written to,sector map 108 can be maintained in memory (e.g., RAM) and persisted ona storage device (e.g., storage volume 110). In such embodiments, thesectors in sector map 108 can be grouped together, with each group beinga collection of multiple sectors of sector map 108. The number ofsectors in a group can vary, and different groups can have differentnumbers of sectors. Which sectors are included in which groups can bedetermined in different manners. For example, sectors can be groupedtogether by sector number in numeric order, based on hash values of thesector identifiers, and so forth.

FIG. 3 illustrates an example of sector maps maintained in memory andpersisted on a storage device in accordance with one or moreembodiments. FIG. 3 illustrates a storage volume 300 storing a sectormap 302, and a memory 310 storing a sector map 312. Memory 310 istypically a volatile memory that does not maintain its state when thecomputing device including memory 310 is powered off, but that typicallyhas faster access time than storage volume 300. Sector maps 302 and 312are each a version of the same sector map, which can be sector map 108of FIG. 1.

As illustrated, sector maps 302 and 312 each include sectors groupedinto multiple groups. Each group includes multiple sector identifiersand corresponding sector signatures. Additionally, each group has a flagindicating whether the group is dirty or clean, which is used asdiscussed below.

When the computing device starts operation (e.g., is powered on, reset,etc.), sector map 302 is copied from storage volume 300 into memory 310as sector map 312. At this point, the flag value of each group in sectormaps 302 and 312 are set to indicate the corresponding groups are clean(although situations can arise where one or more flag values are set toindicate the corresponding groups are dirty, as discussed below). Thegroup being clean indicates that the content of the group (sectoridentifiers and corresponding sector signatures) on storage volume 300is the same as the content of the group in memory 310. When data issubsequently written to a sector of the storage volume, sector map 312is updated with the signature of the newly written content of thatsector. However, sector map 302 is not yet updated to include thesignature of the newly written content of that sector. Additionally, theflag for the group in sector map 312 including that sector, as well asthe flag for the group in sector map 302 including that sector, is setto indicate the group is dirty (if not already set to indicate the groupis dirty). The group being dirty indicates that the content of the groupon storage volume 300 is not the same as the content of the group inmemory 310.

The content of the dirty groups in sector map 312 are flushed to storagevolume 300 at some point. Flushing the dirty groups to storage volume300 refers to writing the data groups from sector map 312 to sector map302, and setting the corresponding flags of those written groups insector maps 302 and 312 to indicate the corresponding groups are clean.The particular point at which the dirty groups are flushed can vary,such as in response to a threshold number of groups being marked dirty,a threshold amount of time elapsing since a group was marked as beingdirty, during a time of low storage volume usage (e.g., less than athreshold number of read and/or write access to storage volume 300 in athreshold amount of time), and so forth.

When the computing device again starts operation (e.g., is powered on,reset, etc.), each group of sector map 302 that is marked as clean iscopied from storage volume 300 into memory 310 as a group of sector map312. For each group of sector map 302 that is marked as dirty, thesector signatures for the identified sectors in that group are generatedbased on the contents of those identified sectors. These generatedsector signatures are stored in the group in sector map 302 as well asin sector map 312, and the groups are marked as clean in sector maps 302and 312. Thus, although situations can arise in which the computingdevice crashes or loses power before one or more dirty groups in sectormap 312 are flushed to storage volume 300, such situations are readilyresolved when the computing device again starts operation. The flags insector map 302 of each of the one or more dirty groups in sector map 312that were not flushed to storage volume 300 still indicate the group isdirty, and thus the sector signatures are re-generated.

In one or more embodiments, when setting a flag in sector map 302 andsector map 312 due to a particular write to a sector, the write to thesector is not finalized until the flags in maps 302 and 312 are set toindicate the group including the identifier of that sector is dirty.Accordingly, if the computing device were to crash or lose power duringa write, the write to the sector would not be finalized before the flagsin maps 302 and 312 are set to indicate the group is dirty. Thus, due toa crash or loss of power, situations can arise in which a flag in sectormap 302 is set to indicate the group is dirty, but the data that causedthat flag to be set to indicate the group is dirty was not actuallywritten to storage volume 300. Such situations are readily resolvedbecause when the computing device again starts operation the flag insector map 302 is set to indicate that the group is dirty, so the sectorsignatures of the sectors identified in that group are re-generated.Thus, sector maps 302 and 312 maintain an accurate signature for thesector.

Returning to FIG. 1, in one or more embodiments, in response toactivating a policy on computing device 100 indicating that data storedon storage volume 110 after activation of the policy be encrypted,policy module 106 begins the process of encrypting the unencrypted datain sectors of storage volume 110. Which sectors have unencrypted datacan be readily identified (e.g., based on sector map 108, based on abitmap corresponding to storage volume 110 as discussed above, etc.).This can be performed, for example, by requesting that the unencrypteddata from a sector be read and then written back to the sector. As therequest to write the data back to the sector is received after thepolicy is activated, the data written back is encrypted. When nounencrypted data remains on storage volume 110, use of sector map 108can cease—sector map 108 can be deleted and/or ignored because the datathat was written to storage volume 110 before sector map 108 was lockedhas been re-written as encrypted data.

When performing such a process of encrypting the unencrypted data insectors of storage volume 110, a record of which sectors have beenencrypted can be maintained in different manners. For example, afterunencrypted data from a sector is read and written back to the storagevolume as encrypted data, the sector identifier and corresponding sectorsignature for that sector can be removed from sector map 108(effectively unlocking sector map 108 for removal of the sectoridentifier and corresponding sector signature). By way of anotherexample, after unencrypted data from a sector is read and written backto the storage volume as encrypted data, a bit in a bitmap (whichcorresponds to storage volume 110 as discussed above) that correspondsto that sector can be set.

Policy module 106 can perform this process of encrypting the unencrypteddata in sectors of storage volume 110 in different manners. For example,policy module 106 can monitor computing device 100 for, and perform theprocess during, times of low storage volume usage (e.g., less than athreshold number of read and/or write access to storage volume 110 in athreshold amount of time). By way of another example, policy module 106can monitor computing device 100 for, and perform the process during,times when computing device 100 is not typically being used (e.g.,between midnight and 4:00 am). By way of yet another example, policymodule 106 can monitor computing device 100 for, and perform the processduring, times when computing device 100 is plugged in (e.g., operatingon AC power rather than on battery power).

FIG. 4 is a block diagram illustrating another example computing device400 implementing rapid compliance with a data encryption policy inaccordance with one or more embodiments. Computing device 400 can be avariety of different types of devices, such as a physical device or avirtual device, analogous to computing device 100 of FIG. 1.

Computing device 400 includes an encryption/decryption control module102, a read/write control module 104, a policy module 106, and a storagevolume 110, analogous to computing device 100 of FIG. 1. However, ratherthan a sector map, computing device 400 includes an encrypted chunks map402 and a conversion log 404.

In embodiments using encrypted chunks map 402, encrypted chunks map 402groups sectors of storage volume 110 together into chunks. Each chunk isa collection of multiple sectors of storage volume 110. The number ofsectors in a chunk can vary, and different chunks can have differentnumbers of sectors. Which sectors are included in which chunks can bedetermined in different manners. For example, sectors can be groupedtogether by sector number in numeric order. Encrypted chunks map 402identifies whether, for each chunk of sectors of storage volume 110, thesectors included in the chunk are unencrypted or encrypted (oroptionally not in use). If the sectors in the chunk are unencrypted thenthe chunk is also referred to as being unencrypted. Similarly, if thesectors in the chunk are encrypted (or not in use), then the chunk isalso referred to as being encrypted (or not in use).

Encrypted chunks map 402 is typically a bitmap. For example, encryptedchunks map 402 can include multiple bits, each bit corresponding to achunk of sectors of storage volume 110, and each bit being set (e.g., toa value of 1) to indicate that the sectors in the corresponding chunkare encrypted (or not in use), or is not set (e.g., have a value of 0)to indicate that the sectors in the corresponding chunk are unencrypted.Alternatively other maps or records other than a bitmap can be used.

Discussions herein make reference to indicating whether a correspondingchunk is encrypted or not in use (e.g., the bit corresponding to thechunk is set). Alternatively, encrypted chunks map 402 can indicatewhether a corresponding chunk is encrypted without supporting thepossibility that the chunk is not in use. For example, the bitcorresponding to the chunk is set to indicate the chunk is encrypted(and is not set solely because the chunk is not in use).

Prior to activation of a policy on computing device 400 indicating thatdata stored on storage volume 110 after activation of the policy beencrypted, encrypted chunks map 402 need not be used. Data can bewritten to and read from storage volume 110 without being encrypted.However, in response to activation of a policy on computing device 400indicating that data stored on storage volume 110 after activation ofthe policy be encrypted, read/write control module 104 invokesencryption/decryption control module 102 to have data written to storagevolume 110 encrypted. Read/write control module 104 also uses encryptedchunks map 402 to determine whether to decrypt data read from storagevolume 110. Computing device 400 is thus in rapid compliance with thepolicy because data written to storage volume 110 after the policy isactivated is encrypted. Computing device 400 need not wait until all ofstorage volume 100 is encrypted before being in compliance with thepolicy. Policy module 106 can thus rapidly indicate (e.g., with lessthan a threshold amount of delay) compliance with the policy even thoughsome sectors of storage volume 110 are unencrypted, because subsequentwrites to storage volume 110 will be encrypted, and device 400 thus willbe encrypting data stored on storage volume 110 after activation of thepolicy.

In one or more embodiments, multiple versions of encrypted chunks map402 are maintained. For example, two versions (a most recent version anda previous version) of encrypted chunks map 402 can be maintained. Eachversion typically has a version number or other identifier (e.g., withmore recent versions having higher version numbers than less recentversions). When a change is made to encrypted chunks map 402, theprevious version of encrypted chunks map 402 is replaced by the mostrecent version of encrypted chunks map 402, and then the change is madeto the most recent version of encrypted chunks map 402. Thus, the twoversions of encrypted chunks map 402 include a most recent version ofencrypted chunks map 402, and the next most recent version of encryptedchunks map 402.

Additionally, versions of encrypted chunks map 402 can be can bemaintained in memory (e.g., RAM) and persisted on a storage device(e.g., storage volume 110). In one or more embodiments, each time achange is made to a version of encrypted chunks map 402, the version inmemory as well as the version persisted on the storage device areupdated. Alternatively, at least part of encrypted chunks map 402 can bemaintained in a nonvolatile memory (e.g., Flash memory) that maintainsits state when computing device 400 is powered off, in which caseversions of at least that part of encrypted chunks map 402 need not beboth maintained in memory and persisted on a storage device.

After the policy (indicating that data stored on storage volume 110after activation of the policy be encrypted) is activated, when data isrequested to be read from a sector of storage volume 110, encryptedchunks map 402 is checked (e.g., by read/write control module 104 orpolicy module 106) to determine whether the chunk including the sectorbeing read from is unencrypted (e.g., the bit corresponding to the chunkincluding the sector is not set). If the chunk is unencrypted, thenread/write control module 104 reads the sector and returns the contentof the sector to the requester. However, if the chunk has been encryptedor is not in use (e.g., the bit corresponding to the chunk including thesector is set), then read/write control module 104 invokesencryption/decryption control module 102 to decrypt the content of thesector, and returns the decrypted content of the sector to therequester.

After the policy (indicating that data stored on storage volume 110after activation of the policy be encrypted) is activated, when data isrequested to be written to a sector of storage volume 110, encryptedchunks map 402 is checked (e.g., by read/write control module 104 orpolicy module 106) to determine whether the chunk including the sectorbeing written to is unencrypted (e.g., the bit corresponding to thechunk including the sector is not set). If the chunk is not unencrypted(the sectors in the chunk have already been encrypted or are not inuse), then read/write control module 104 invokes encryption/decryptioncontrol module 102 to encrypt the content of the sector, and writes theencrypted content of the sector to storage volume 110.

However, if the chunk is unencrypted, then read/write control module 104holds the write request to allow the other sectors in the chunk thatincludes the sector being written to be encrypted. Module 104 reads thecontent of the sectors in the chunk (e.g., all the sectors in the chunk,or those sectors in the chunk other than the sector to which data isrequested to be written). Module 104 invokes encryption/decryptioncontrol module 102 to encrypt each of the sectors that is read, andwrites the encrypted content of each of those sectors to storage volume110.

Module 104 also maintains a record of the sectors that were encrypted inconversion log 404. Conversion log 404 includes identifiers of thesectors that were encrypted and signatures of the sectors, analogous tothe sector identifiers and sector signatures of sector map 108 discussedabove. However, the signatures in conversion log 404 are typicallysignatures of the sectors storing encrypted content. Conversion log 404is maintained in memory (e.g., RAM) and persisted on a storage device(e.g., storage volume 110), analogous to versions of encrypted chunksmap 402. Alternatively, conversion log 404 can be maintained in anonvolatile memory (e.g., Flash memory) that maintains its state whencomputing device 400 is powered off, in which case conversion log 404need not be both maintained in memory and persisted on a storage device.Additionally, multiple versions of conversion log 404 can be maintained,analogous to encrypted chunks map 402 versions.

After the encrypted content of the sectors is written to storage volume110 and conversion log 404 (in memory and persisted on the storagedevice) is updated, encrypted chunks map 402 is changed to reflect thatthe chunk that includes the data being written to has been encrypted.For example, the bit corresponding to the chunk that includes the sectorbeing written to is set. Read/write control module 104 then ceasesholding the write request, and re-processes the write request. The chunkthat includes the sector being written to is no longer unencrypted, andthus read/write control module 104 invokes encryption/decryption controlmodule 102 to encrypt the content of the sector, and writes theencrypted content of the sector to storage volume 110 as discussedabove. It should be noted that various changes to this ordering can bemade. For example, the data being written can be encrypted prior to thewrite request being held.

Alternatively, rather than re-processing the write request, module 104can read the content of the sectors in the chunk, replace the sectorbeing written to with the content being written as part of the writerequest, and write the encrypted content of the sectors of the chunk tostorage volume 110. Thus, the write request is effectively incorporatedinto the reading, encrypting, and writing of the chunk.

In one or more embodiments, in response to activating a policy oncomputing device 400 indicating that data stored on storage volume 110after activation of the policy be encrypted, policy module 106 begins aprocess of identifying chunks of sectors of storage volume 110 that arenot in use. Whether a particular sector of storage volume 110 is in usecan be determined in different manners, such as by obtaining anindication from an operating system of computing device 400 as to whichsectors are in use and which sectors are not in use. In response todetecting a chunk for which all sectors in the chunk are not in use,policy module 106 changes encrypted chunks map 402 to indicate thatchunk is encrypted or not in use (e.g., a bit corresponding to thatchunk is set). Thus, encrypted chunks map 402 can initially indicatethat all chunks are unencrypted, and then have chunks marked asencrypted or not in use as those chunks are encrypted or identified asnot in use.

Policy module 106 can perform this process of identifying chunks thatare not in use in different manners. For example, policy module 106 canmonitor computing device 400 for, and perform the process during, timesof low storage volume usage (e.g., less than a threshold number of readand/or write access to storage volume 110 in a threshold amount oftime). By way of another example, policy module 106 can monitorcomputing device 400 for, and perform the process during, times whencomputing device 400 is not typically being used (e.g., between midnightand 4:00 am). By way of yet another example, policy module 106 canmonitor computing device 400 for, and perform the process during, timeswhen computing device 400 is plugged in (e.g., operating on AC powerrather than on battery power).

Similarly, in one or more embodiments policy module 106 can begin aprocess of encrypting the unencrypted data in sectors of storage volume110. Policy module 106 can begin encrypting the unencrypted data insectors of storage volume 110 at different times, such as after theprocess of identifying chunks of sectors of storage volume 110 that arenot in use has been completed, in response to activating a policy oncomputing device 400 indicating that data stored on storage volume 110after activation of the policy be encrypted, and so forth. Which sectorshave unencrypted data can be readily identified (e.g., the sectorsincluded in chunks having corresponding bits in encrypted chunks map 402that are not set, other records or logs maintained by policy module 106and/or an operating system of computing device 400). The encrypting ofunencrypted data in sectors of storage volume 110 can be performed, forexample, by requesting that the unencrypted data from sectors in a chunkbe read and then written back to those sectors. As the request to writethe data back to the sectors is received after the policy is activated,the data written back is encrypted. Once the encrypted sectors of achunk are written back, encrypted chunks map 402 is changed to reflectthat the chunk is no longer unencrypted (e.g., the bit corresponding tothe chunk is set).

When no unencrypted data remains on storage volume 110, use of encryptedchunks map 402 can cease, and encrypted chunks map 402 can be deletedand/or ignored. The data that was written to storage volume 110 beforeencrypted chunks map 402 was used has been re-written as encrypted data,and data written to storage volume 110 using encrypted chunks map 402 isencrypted. Read/write control module 104 can simply invokeencryption/decryption control module 102 to encrypt data being writtenand decrypt data being read without using encrypted chunks map 402.

When performing such a process of encrypting the unencrypted data insectors of storage volume 110, a record of which sectors have beenencrypted can be maintained in different manners. For example, aseparate log or record of which sectors have been encrypted can bemaintained by policy module 106. By way of another example, afterunencrypted data from sectors in a chunk is read and written back to thestorage volume as encrypted data, a bit in encrypted chunks map 402corresponding to the chunk can be set.

Policy module 106 can perform this process of encrypting unencryptedsectors in different manners. For example, policy module 106 can monitorcomputing device 400 for, and perform the process during, times of lowstorage volume usage (e.g., less than a threshold number of read and/orwrite access to storage volume 110 in a threshold amount of time). Byway of another example, policy module 106 can monitor computing device400 for, and perform the process during, times when computing device 400is not typically being used (e.g., between midnight and 4:00 am). By wayof yet another example, policy module 106 can monitor computing device400 for, and perform the process during, times when computing device 400is plugged in (e.g., operating on AC power rather than on batterypower).

Although a single encrypted chunks map 402 is illustrated in computingdevice 400, alternatively multiple encrypted chunks maps 402 can beincluded (each having multiple versions as discussed above). Thesedifferent encrypted chunks maps 402 can correspond to different parts ofstorage volume 110. These different parts can be determined in differentmanners, such as particular collections of sectors of storage volume 110having a particular size (e.g., collections of sectors totaling 2-4Gigabytes). Each of these different encrypted chunks maps is used asdiscussed above, and which of the multiple encrypted chunks maps is usedis dependent on the particular sector or sectors being read from orwritten to for a particular request.

Situations can arise in which computing device 400 crashes or losespower during a write, such as when data is being written to storagevolume 110, when a conversion log or encrypted chunks map is beingpersisted, and so forth. To resolve such situations, when computingdevice 400 boots (e.g., due to being restarted, reset, etc.) read/writecontrol module 104 retrieves the most recent valid version of encryptedchunks map 402 persisted on storage volume 110. Whether a particularversion of encrypted chunks map 402 is valid can be determined indifferent manners (e.g., based on a checksum or other value stored withthe encrypted chunks map 4020 on storage volume 110). Read/write controlmodule 104 also retrieves the most recent valid version of conversionlog 404 persisted on storage volume 110. Whether a particular version ofconversion log 404 is valid can be determined in different manners(e.g., based on a checksum or other value stored with the conversion log404 on storage volume 110).

Conversion log 404 includes an indication of the most recently encryptedsector (or chunk). For the most recently encrypted sector (or chunk), ifencrypted chunks map 402 indicates that the chunk that includes the mostrecently encrypted sector (or the most recently encrypted chunk) is notunencrypted (e.g., the bit corresponding to the chunk is set), then norecovery need be performed. However, if encrypted chunks map 402indicates that the chunk that includes the most recently encryptedsector (or the most recently encrypted chunk) is unencrypted (e.g., thebit corresponding to the chunk is not set), then recovery may beperformed. What recovery is to be performed can be determined indifferent manners, such as based on signatures of the sectors (e.g.,which sectors in the chunk have been encrypted can be determined basedon the signatures—if the signature of the sector in conversion log 404matches (e.g., is the same as) the signature of the sector on storagevolume 110 then the sector has been encrypted, and if the signatures donot match then the sector has not been encrypted). Sectors in the chunkthat have not been encrypted are encrypted, and the bit in the encryptedchunks map 402 corresponding to the chunk is set. One or more otheroperating system modules supporting recovery can optionally be invokedto perform the recovery.

Signatures of encrypted sectors are discussed above as stored inconversion log 404. Alternatively, the signatures in conversion log 404can be signatures of unencrypted sectors. In such situations, a sectorcan be decrypted and the signature of the unencrypted content of thesector generated. If the signature of the unencrypted content of thesector matches (e.g., is the same as) the signature of the sector inconversion log 404 then the sector has been encrypted, and if thesignatures do not match then the sector has not been encrypted.

FIG. 5 is a flowchart illustrating an example process 500 forimplementing rapid compliance with a data encryption policy inaccordance with one or more embodiments. Process 500 is carried out by acomputing device, such as computing device 100 of FIG. 1, and can beimplemented in software, firmware, hardware, or combinations thereof.Process 500 is shown as a set of acts and is not limited to the ordershown for performing the operations of the various acts. Process 500 isan example process for implementing rapid compliance with a dataencryption policy; additional discussions of implementing rapidcompliance with a data encryption policy are included herein withreference to different figures.

In process 500, a request to activate a policy for a computing device isreceived (act 502). The policy indicates that data written by thecomputing device to a storage volume after activation of the policy beencrypted. The request can be received from various sources, such asuser of the computing device, a service being accessed by the computingdevice, an administrator of a network to which the computing device iscoupled, and so forth.

The policy is activated for the computing device in response to therequest (act 504). By activating the policy, data written to the storagevolume after returning the indication of compliance with the policy isencrypted, despite one or more sectors of the storage volume beingunencrypted (plaintext).

An indication of compliance with the policy is also returned in responseto the request (act 506). This indication can be returned immediately asa rapid indication of compliance, and can be returned despite one ormore sectors of the storage volume being unencrypted (plaintext).

FIG. 6 is a flowchart illustrating an example process 600 forimplementing rapid compliance with a data encryption policy using asector map in accordance with one or more embodiments. Process 600 iscarried out by a computing device, such as computing device 100 of FIG.1, and can be implemented in software, firmware, hardware, orcombinations thereof. Process 600 is shown as a set of acts and is notlimited to the order shown for performing the operations of the variousacts. Process 600 is an example process for implementing rapidcompliance with a data encryption policy using a sector map; additionaldiscussions of implementing rapid compliance with a data encryptionpolicy using a sector map are included herein with reference todifferent figures.

In process 600, a sector map identifying one or more sectors of astorage volume is accessed (act 602). The sector map is accessed tocomply with a policy indicating that data written by the computingdevice to the storage volume after activation of the policy beencrypted. The sector map is typically accessed from volatile memory asdiscussed above, and can be copied into volatile memory from the storagevolume as appropriate.

After activation of the policy, a request to read the content of asector of the storage volume is received (act 604). In response to therequest, a check is made as to whether the sector is identified in thesector map (act 606).

If the sector is identified in the sector map, then a check is made asto whether the signature of the content of the sector matches thesignature for that sector as identified in the sector map (act 608). Ifthe signature of the content of the sector matches the signature forthat sector as identified in the sector map, then the content of thesector is returned without decrypting the content (act 610). The contentis returned to a requester from which the request to read the contentwas received, such as another program or application running on thecomputing device.

However, if the signature of the content of the sector does not matchthe signature for that sector as identified in the sector map in act608, or if the sector is not identified in the sector map in act 606,then the content of the sector is decrypted (act 612), and the decryptedcontent is returned (act 614). The content is returned to a requesterfrom which the request to read the content was received, such as anotherprogram or application running on the computing device.

Alternatively, a bitmap with bits indicating whether correspondingsectors have been written to after the sector map was locked can be usedas discussed above. When using such a bitmap, an additional act prior toact 606 is included in process 600, the additional act being checkingwhether the bitmap indicates that the sector has been written to afterthe sector map was locked. If the bitmap indicates that the sector hasbeen written to after the sector map was locked, then the content of thesector is decrypted (act 612) and returned (act 614). However, if thebitmap indicates that the sector has not been written to after thesector map was locked, then process 600 proceeds to act 606.

FIG. 7 is a flowchart illustrating an example process for implementingrapid compliance with a data encryption policy using an encrypted chunksmap in accordance with one or more embodiments. Process 700 is carriedout by a computing device, such as computing device 100 of FIG. 1, andcan be implemented in software, firmware, hardware, or combinationsthereof. Process 700 is shown as a set of acts and is not limited to theorder shown for performing the operations of the various acts. Process700 is an example process for implementing rapid compliance with a dataencryption policy using an encrypted chunks map; additional discussionsof implementing rapid compliance with a data encryption policy using anencrypted chunks map are included herein with reference to differentfigures.

In process 700, an encrypted chunks map identifying one or more chunksof sectors of a storage volume is accessed (act 702). The encryptedchunks map is accessed to comply with a policy indicating that datawritten by the computing device to the storage volume after activationof the policy be encrypted.

A chunk that includes a sector to which data is requested to be writtenis identified (act 704). Which sectors are included in which chunks canbe determined in different manners, as discussed above.

A determination is made as to whether the chunk is unencrypted (act706). This determination is made based on the encrypted chunks map asdiscussed above. For example, if a bit in the encrypted chunks mapcorresponding to the chunk is not set then the chunk is unencrypted, andif the bit in the encrypted chunks map corresponding to the chunk is setthen the chunk is encrypted (or not in use).

If the chunk is not unencrypted, then the data to be written to thesector is encrypted (act 708), and the encrypted data is written to thesector of the storage volume (act 710).

However, if the chunk is unencrypted, then the write request is placedon hold (act 712). Placing the write request on hold allows the sectorsin the chunk that includes the sector to which data is requested to bewritten to be encrypted.

The sectors in the chunk that includes the sector to which data isrequested to be written are encrypted (act 714). All sectors included inthe chunk can be encrypted, or alternatively sectors in the chunk otherthan the sector to which data is requested to be written can beencrypted as discussed above.

The encrypted chunks map is updated in memory and the updated map ispersisted on the storage volume (act 716). The update to the encryptedchunks map is a change to the encrypted chunks map to reflect that thechunk including the sectors that were encrypted in act 714 is no longerunencrypted as discussed above. Multiple versions of the encryptedchunks map can also be maintained as discussed above.

The hold on the write request ceases (act 718), and process 700 returnsto act 706 to again check whether the chunk is unencrypted. As the chunkis no longer unencrypted, process 700 proceeds to acts 708 and 710 asdiscussed above. Alternatively, process 700 can return to act 708 ratherthan act 706.

The rapid compliance with data encryption policy techniques discussedherein support various usage scenarios, allowing a rapid indication tobe provided of compliance with a policy indicating that data written toa storage volume after activation of the policy be encrypted despite oneor more sectors of the storage volume being unencrypted. For example,the sector map can be used to identify which sectors were written toprior to the sector map being locked. This sector map can be locked whenan operating system is installed or initialized on the computing device,or alternatively in response to the request to comply with the policy.Regardless of when the sector map is locked, after being locked datawritten to the storage volume is encrypted, and the sector map can beused to determine whether to decrypt or not decrypt data based on whenthe data was written to the storage volume. By way of another example,the encrypted chunks map can be used to identify which chunks of sectorsare unencrypted after application of the policy to the computing device.Data written to sectors after activation of the policy is encrypted, andthe encrypted chunks map can be used to determine whether to decrypt ornot decrypt data based on whether the chunk that includes the sectorfrom which data is read is unencrypted.

Various actions such as receiving, returning, recording, storing,generating, obtaining, and so forth performed by various modules arediscussed herein. A particular module discussed herein as performing anaction includes that particular module itself performing the action, oralternatively that particular module invoking or otherwise accessinganother component or module that performs the action (or performs theaction in conjunction with that particular module). Thus, a particularmodule performing an action includes that particular module itselfperforming the action and/or another module invoked or otherwiseaccessed by that particular module performing the action.

FIG. 8 illustrates an example computing device 800 that can beconfigured to implement rapid compliance with a data encryption policyin accordance with one or more embodiments. Computing device 800 can be,for example, computing device 100 of FIG. 1.

Computing device 800 includes one or more processors or processing units802, one or more computer readable media 804 which can include one ormore memory and/or storage components 806, one or more input/output(I/O) devices 808, and a bus 810 that allows the various components anddevices to communicate with one another. Computer readable media 804and/or one or more I/O devices 808 can be included as part of, oralternatively may be coupled to, computing device 800. Processor 802,computer readable media 804, one or more of devices 808, and/or bus 810can optionally be implemented as a single component or chip (e.g., asystem on a chip). Bus 810 represents one or more of several types ofbus structures, including a memory bus or memory controller, aperipheral bus, an accelerated graphics port, a processor or local bus,and so forth using a variety of different bus architectures. Bus 810 caninclude wired and/or wireless buses.

Memory/storage component 806 represents one or more computer storagemedia. Component 806 can include volatile media (such as random accessmemory (RAM)) and/or nonvolatile media (such as read only memory (ROM),Flash memory, optical disks, magnetic disks, and so forth). Component806 can include fixed media (e.g., RAM, ROM, a fixed hard drive, etc.)as well as removable media (e.g., a Flash memory drive, a removable harddrive, an optical disk, and so forth).

The techniques discussed herein can be implemented in software, withinstructions being executed by one or more processing units 802. It isto be appreciated that different instructions can be stored in differentcomponents of computing device 800, such as in a processing unit 802, invarious cache memories of a processing unit 802, in other cache memoriesof device 800 (not shown), on other computer readable media, and soforth. Additionally, it is to be appreciated that the location whereinstructions are stored in computing device 800 can change over time.

One or more input/output devices 808 allow a user to enter commands andinformation to computing device 800, and also allows information to bepresented to the user and/or other components or devices. Examples ofinput devices include a keyboard, a cursor control device (e.g., amouse), a microphone, a scanner, and so forth. Examples of outputdevices include a display device (e.g., a monitor or projector),speakers, a printer, a network card, and so forth.

Various techniques may be described herein in the general context ofsoftware or program modules. Generally, software includes routines,programs, applications, objects, components, data structures, and soforth that perform particular tasks or implement particular abstractdata types. An implementation of these modules and techniques may bestored on or transmitted across some form of computer readable media.Computer readable media can be any available medium or media that can beaccessed by a computing device. By way of example, and not limitation,computer readable media may comprise “computer storage media” and“communication media.”

“Computer storage media” include volatile and non-volatile, removableand non-removable media implemented in any method or technology forstorage of information such as computer readable instructions, datastructures, program modules, or other data. Computer storage mediainclude, but are not limited to, RAM, ROM, EEPROM, flash memory or othermemory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed by acomputer. Computer storage media refer to media for storage ofinformation in contrast to mere signal transmission, carrier waves, orsignals per se. Thus, computer storage media refers to non-signalbearing media, and is not communication media.

“Communication media” typically embody computer readable instructions,data structures, program modules, or other data in a modulated datasignal, such as carrier wave or other transport mechanism. Communicationmedia also include any information delivery media. The term “modulateddata signal” means a signal that has one or more of its characteristicsset or changed in such a manner as to encode information in the signal.By way of example, and not limitation, communication media include wiredmedia such as a wired network or direct-wired connection, and wirelessmedia such as acoustic, RF, infrared, and other wireless media.Combinations of any of the above are also included within the scope ofcomputer readable media.

Generally, any of the functions or techniques described herein can beimplemented using software, firmware, hardware (e.g., fixed logiccircuitry), manual processing, or a combination of theseimplementations. The terms “module” and “component” as used hereingenerally represent software, firmware, hardware, or combinationsthereof. In the case of a software implementation, the module orcomponent represents program code that performs specified tasks whenexecuted on a processor (e.g., CPU or CPUs). The program code can bestored in one or more computer readable memory devices, furtherdescription of which may be found with reference to FIG. 8. In the caseof hardware implementation, the module or component represents afunctional block or other hardware that performs specified tasks. Forexample, in a hardware implementation the module or component can be anapplication-specific integrated circuit (ASIC), field-programmable gatearray (FPGA), complex programmable logic device (CPLD), and so forth.The features of the rapid compliance with data encryption policytechniques described herein are platform-independent, meaning that thetechniques can be implemented on a variety of commercial computingplatforms having a variety of processors.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

What is claimed is:
 1. A method comprising: receiving, by a computingdevice, a request to activate a policy for the computing device, thepolicy indicating that data written by the computing device to a storagevolume after activation of the policy be encrypted; activating, inresponse to the request, the policy for the computing device, including:encrypting data written to the storage volume after returning anindication of compliance with the policy, using a sector map to identifyone or more sectors of the storage volume that are not encrypted, thesector map identifying one or more sectors of the storage volume writtento prior to the sector map being locked to prohibit changes to thesector map and the sector map including signatures of sectors that werewritten to the storage volume prior to the sector map being locked, datawritten to the storage volume after the sector map is locked beingencrypted but at least some data written to the storage volume beforethe sector map is locked not being encrypted, and using the sector mapto determine whether to decrypt content of a sector of the storagevolume in response to a request to read the content of the sector; andreturning, in response to the request to activate the policy, theindication of compliance with the policy despite one or more sectors ofthe storage volume being unencrypted.
 2. A method as recited in claim 1,the returning comprising returning the response without waiting for thestorage volume to be encrypted.
 3. A method as recited in claim 1, theactivating further comprising returning, in response to the request toread the content, the content without decrypting the content in responseto the sector being one of the one or more sectors written to prior tothe sector map being locked and the signature of the content of thesector matching the signature of the sector identified in the sectormap, and otherwise decrypting the content of the sector and returningthe decrypted content.
 4. A method as recited in claim 1, the activatingfurther comprising: checking a bit corresponding to the sector, the bitbeing one of multiple bits in a bitmap corresponding to the storagevolume, each of the multiple bits indicating whether a correspondingsector of the storage volume has been written to after the sector mapwas locked to prohibit changes to the sector map; decrypting the contentof the sector and returning the decrypted content in response to the bitcorresponding to the sector indicating the sector has been written toafter the sector map was locked; and in response to the bitcorresponding to the sector indicating the sector has not been writtento after the sector map was locked, returning the content withoutdecrypting the content in response to the sector being one of the one ormore sectors written to prior to the sector map being locked and thesignature of the content of the sector matching the signature of thesector identified in the sector map, and otherwise decrypting thecontent of the sector and returning the decrypted content.
 5. A methodas recited in claim 1, the sector map being locked in response to therequest to activate the policy for the computing device.
 6. A method asrecited in claim 5, further comprising, prior to the sector map beinglocked: maintaining a first version of the sector map on the storagevolume; maintaining a second version of the sector map in volatilememory; grouping the sector identifiers and sector signatures intomultiple groups, each group including sector signatures for one or moresectors; updating, in response to data being written to a sectoridentified in a group, a flag value of the group to indicate that thegroup is dirty; and copying the groups that are indicated as dirty fromthe second version of the sector map to the first version of the sectormap in response to a threshold number of the multiple groups beingindicated as dirty.
 7. A method as recited in claim 1, furthercomprising maintaining the sector map on the storage volume, and mappingthe sector map from the storage volume into a sector map in volatilememory when the computing device starts operation.
 8. A method asrecited in claim 1, further comprising: encrypting unencrypted data fromsectors of the storage volume; determining when no unencrypted dataremains on the storage volume; and deleting the sector map and ceasingusing the sector map in response to no unencrypted data remaining on thestorage volume.
 9. A method as recited in claim 8, further comprisingremoving, from the sector map, an identifier and corresponding signatureof a sector in response to unencrypted data from the sector beingencrypted.
 10. A method as recited in claim 1, the signature of thecontent of the sector comprising a value generated as a function of thecontent of the sector.
 11. A method as recited in claim 1, the storagevolume being included as part of the computing device.
 12. A computingdevice comprising: one or more hardware processors; and one or morecomputer storage media devices having stored thereon multipleinstructions that, when executed by the one or more processors to complywith a policy for the computing device, cause the one or more processorsto: access a sector map identifying one or more sectors of a storagevolume written to prior to changes to the sector map being locked toprohibit changes to the sector map, the sector map further identifying,for each of the one or more sectors, a signature of the content of thesector, the policy indicating that data written by the computing deviceto the storage volume after activation of the policy be encrypted; inresponse to a request to read the content of a sector of the storagevolume: read the content of the sector from the storage volume andreturn the content of the sector of the storage volume withoutdecrypting the content in response to both the sector not having beenwritten to after the sector map was locked to prohibit changes to thesector map and the signature of the content of the sector matching thesignature of the sector identified in the sector map; and read thecontent of the sector from the storage volume, decrypt the content ofthe sector of the storage volume, and return the decrypted content inresponse to the sector having been written to after the sector map waslocked to prohibit changes to the sector map.
 13. A computing device asrecited in claim 12, the sector map being locked in response to arequest to activate the policy for the computing device.
 14. A computingdevice as recited in claim 13, the multiple instructions further causingthe one or more processors to, prior to the sector map being locked:maintain a first version of the sector map on the storage volume;maintain a second version of the sector map in volatile memory; groupthe sector identifiers and sector signatures into multiple groups, eachgroup including sector signatures for one or more sectors; update, inresponse to data being written to a sector identified in a group, a flagvalue of the group to indicate that the group is dirty; and copy thegroups that are indicated as dirty from the second version of the sectormap to the first version of the sector map in response to a thresholdnumber of the multiple groups being indicated as dirty.
 15. A computingdevice as recited in claim 12, the multiple instructions further causingthe one or more processors to: encrypt unencrypted data from sectors ofthe storage volume; determine when no unencrypted data remains on thestorage volume; and delete the sector map and ceasing using the sectormap in response to no unencrypted data remaining on the storage volume.16. A computing device as recited in claim 15, the multiple instructionsfurther causing the one or more processors to remove, from the sectormap, an identifier and corresponding signature of a sector in responseto unencrypted data from the sector being encrypted.
 17. A methodimplemented in a computing device, the method comprising: accessing asector map identifying one or more sectors of a storage volume writtento prior to changes to the sector map being locked to prohibit changesto the sector map, the sector map further identifying, for each of theone or more sectors, a signature of the content of the sector, thecomputing device complying with a policy indicating that data written bythe computing device to the storage volume after activation of thepolicy be encrypted; in response to a request to read the content of asector of the storage volume: reading the content of the sector from thestorage volume and returning the content of the sector of the storagevolume without decrypting the content in response to both the sector nothaving been written to after the sector map was locked to prohibitchanges to the sector map and the signature of the content of the sectormatching the signature of the sector identified in the sector map; andreading the content of the sector from the storage volume, decryptingthe content of the sector of the storage volume, and returning thedecrypted content in response to the sector having been written to afterthe sector map was locked to prohibit changes to the sector map.
 18. Amethod as recited in claim 17, further comprising locking the sector mapin response to a request to activate the policy for the computingdevice.
 19. A method as recited in claim 18, further comprising, priorto the sector map being locked: maintaining a first version of thesector map on the storage volume; maintaining a second version of thesector map in volatile memory; grouping the sector identifiers andsector signatures into multiple groups, each group including sectorsignatures for one or more sectors; updating, in response to data beingwritten to a sector identified in a group, a flag value of the group toindicate that the group is dirty; and copying the groups that areindicated as dirty from the second version of the sector map to thefirst version of the sector map in response to a threshold number of themultiple groups being indicated as dirty.
 20. A method as recited inclaim 17, further comprising: encrypting unencrypted data from sectorsof the storage volume; determining when no unencrypted data remains onthe storage volume; and deleting the sector map and ceasing using thesector map in response to no unencrypted data remaining on the storagevolume.